shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-21 22:04:01 +03:00
Code

Merge pull request #28243 from bluca/sbat_initrd

Browse Source 
ukify: enable --sbat for UKIs too
This commit is contained in:
Lennart Poettering 2023-07-06 10:21:44 +02:00 committed by GitHub
commit e40cad1f3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 58 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
man/ukify.xml
View File

@ -366,6 +366,19 @@
<varname>SignKernel=</varname>/<option>--sign-kernel</option> is true, and the binary has already <varname>SignKernel=</varname>/<option>--sign-kernel</option> is true, and the binary has already
been signed, the signature will be appended anyway.</para></listitem> been signed, the signature will be appended anyway.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term>
<term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term>
<listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
whole groups of UKIs or addons with a single, static policy update that does not take space in
DBX/MOKX. If not specified manually, a default metadata entry consisting of
<literal>uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal>
will be used, to ensure it is always possible to revoke UKIs and addons. For more information on
SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink>
</para></listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
@ -412,27 +425,6 @@
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2>
<title>[Addon:<replaceable>NAME</replaceable>] section</title>
<para>Currently, these options only apply when building PE addons.</para>
<variablelist>
<varlistentry>
<term><varname>SBAT=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></varname></term>
<term><option>--sbat=<replaceable>TEXT</replaceable>|<replaceable>@PATH</replaceable></option></term>
<listitem><para>SBAT metadata associated with the addon. SBAT policies are useful to revoke whole
groups of addons with a single, static policy update that does not take space in DBX/MOKX. If not
specified manually, a default metadata entry consisting of
<literal>uki.addon.systemd,1,UKI Addon,uki.addon.systemd,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html</literal>
will be used, to ensure it is always possible to revoke addons. For more information on SBAT see
<ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim's documentation.</ulink></para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -457,6 +449,8 @@
--linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \ --linux=/lib/modules/6.0.9-300.fc37.x86_64/vmlinuz \
--initrd=early_cpio \ --initrd=early_cpio \
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \ --initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html' \
--pcr-private-key=pcr-private-initrd-key.pem \ --pcr-private-key=pcr-private-initrd-key.pem \
--pcr-public-key=pcr-public-initrd-key.pem \ --pcr-public-key=pcr-public-initrd-key.pem \
--phases='enter-initrd' \ --phases='enter-initrd' \

21
src/ukify/test/test_ukify.py
View File

@ -454,7 +454,14 @@ def test_addon(tmpdir):
'build', 'build',
f'--output={output}', f'--output={output}',
'--cmdline=ARG1 ARG2 ARG3', '--cmdline=ARG1 ARG2 ARG3',
"""--sbat=sbat,1,foo
foo,1
bar,2
""",
'--section=.test:CONTENTZ', '--section=.test:CONTENTZ',
"""--sbat=sbat,1,foo
baz,3
"""
] ]
if stub := os.getenv('EFI_ADDON'): if stub := os.getenv('EFI_ADDON'):
args += [f'--stub={stub}'] args += [f'--stub={stub}']
@ -473,9 +480,21 @@ def test_addon(tmpdir):
# let's check that objdump likes the resulting file # let's check that objdump likes the resulting file
dump = subprocess.check_output(['objdump', '-h', output], text=True) dump = subprocess.check_output(['objdump', '-h', output], text=True)
for sect in 'text cmdline test'.split(): for sect in 'text cmdline test sbat'.split():
assert re.search(fr'^\s*\d+\s+.{sect}\s+0', dump, re.MULTILINE) assert re.search(fr'^\s*\d+\s+.{sect}\s+0', dump, re.MULTILINE)
pe = pefile.PE(output, fast_load=True)
found = False
for section in pe.sections:
if section.Name.rstrip(b"\x00").decode() == ".sbat":
assert found is False
split = section.get_data().rstrip(b"\x00").decode().splitlines()
assert split == ["sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md", "foo,1", "bar,2", "baz,3"]
found = True
assert found is True
def unbase64(filename): def unbase64(filename):
tmp = tempfile.NamedTemporaryFile() tmp = tempfile.NamedTemporaryFile()

34
src/ukify/ukify.py
View File

@ -601,10 +601,10 @@ def pe_add_sections(uki: UKI, output: str):
pe.write(output) pe.write(output)
def merge_sbat(input: [pathlib.Path]) -> str: def merge_sbat(input_pe: [pathlib.Path], input_text: [str]) -> str:
sbat = [] sbat = []
for f in input: for f in input_pe:
try: try:
pe = pefile.PE(f, fast_load=True) pe = pefile.PE(f, fast_load=True)
except pefile.PEFormatError: except pefile.PEFormatError:
@ -621,6 +621,15 @@ def merge_sbat(input: [pathlib.Path]) -> str:
# needs to be first. # needs to be first.
sbat += split[1:] sbat += split[1:]
for t in input_text:
if t.startswith('@'):
t = pathlib.Path(t[1:]).read_text()
split = t.splitlines()
if not split[0].startswith('sbat,'):
print(f"{t} does not contain a valid SBAT section, skipping.")
continue
sbat += split[1:]
return 'sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n' + '\n'.join(sbat) + "\n\x00" return 'sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n' + '\n'.join(sbat) + "\n\x00"
def signer_sign(cmd): def signer_sign(cmd):
@ -755,11 +764,15 @@ def make_uki(opts):
# UKI or addon creation - addons don't use the stub so we add SBAT manually # UKI or addon creation - addons don't use the stub so we add SBAT manually
if linux is not None: if linux is not None:
# Merge the .sbat sections from the stub and the kernel, so that revocation can be done on either. # Merge the .sbat sections from stub, kernel and parameter, so that revocation can be done on either.
uki.add_section(Section.create('.sbat', merge_sbat([opts.stub, linux]), measure=False)) uki.add_section(Section.create('.sbat', merge_sbat([opts.stub, linux], opts.sbat), measure=True))
uki.add_section(Section.create('.linux', linux, measure=True)) uki.add_section(Section.create('.linux', linux, measure=True))
elif opts.sbat: else:
uki.add_section(Section.create('.sbat', opts.sbat, measure=False)) if not opts.sbat:
opts.sbat = ["""sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
"""]
uki.add_section(Section.create('.sbat', merge_sbat([], opts.sbat), measure=False))
if sign_args_present: if sign_args_present:
unsigned = tempfile.NamedTemporaryFile(prefix='uki') unsigned = tempfile.NamedTemporaryFile(prefix='uki')
@ -1131,11 +1144,10 @@ CONFIG_ITEMS = [
ConfigItem( ConfigItem(
'--sbat', '--sbat',
metavar = 'TEXT|@PATH', metavar = 'TEXT|@PATH',
help = 'SBAT policy [.sbat section] for addons', help = 'SBAT policy [.sbat section]',
default = """sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md default = [],
uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html action = 'append',
""", config_key = 'UKI/SBAT',
config_key = 'Addon/SBAT',
), ),
ConfigItem( ConfigItem(